Authored by: PlexTrac Author Posted on: October 17, 2019 Why Does Password Strength and Complexity Matter? It’s worth taking a moment to review why password length/complexity are so important, and why password re-use is so very, very bad. When you create a username and password combination, the server responsible for performing the authentication stores your password in an encrypted format called a “hash.” When you authenticate, the application you use takes the password you enter and performs the same hashing operation, and then the server compares the two hashes. If the hashes match, you are granted access. How Hackers Get Your Password When attackers steal the credentials list from a server, they normally only obtain the hashes of passwords – not the passwords themselves. To “crack” a password, the attacker needs to determine what character string, when passed through the hashing algorithm, will produce the matching hash. The two primary methods to crack passwords are brute-force and dictionary attacks. In a brute-force attack, the cracking computer tries every combination of all letters, numbers and special characters. Each combination is put through the hashing algorithm and compared against the list of hashes. Even when using all character varieties, cracking a password of seven characters or less is trivial for modern desktop computers. But each additional character dramatically increases the number of possible combinations, especially if the password uses the full character set. Dictionary attacks play upon our tendency to pick passwords that are combinations of words or variations thereof. The cracking machine simply tries combinations of all the words in a dictionary file, often “mangling” them to overcome common practices like substituting “@” for “a” and “!” for “I.” How Much Password Complexity Do You Need? So how much length and complexity is enough? Ideally, the answer is “as long and complex as the site will allow.” Advances in cloud computing have made it inexpensive for attackers to rent incredibly powerful hash-cracking beasts. A physical computer that would cost over $20,000 to purchase can be had for $7.20 an hour in Amazon’s EC2 cloud. So you create an incredible password for your bank account, something like “d8$k24Vs(&3i90q0i6%x7?jsq1wn^DP7Qe2.” You even manage to memorize this thing of beauty. But that was hard, and you are not Rain Man. So you re-use this password when you create your account at redneckbaitshop.com. Bubba, the proprietor and chief worm farmer at redneckbaitshop.com, decided to build his own e-commerce site, and he stores all credentials without encryption. Not surprisingly, redneckbaitshop.com is hacked and attackers steal the credentials list. Within minutes, the attackers are trying every username and password combination on all the major banking sites – including yours. That beautiful password you created is now used against you to drain your life savings. PlexTrac Author At PlexTrac, we bring together insights from a diverse range of voices. Our blog features contributions from industry experts, ethical hackers, CTOs, influencers, and PlexTrac team members—all sharing valuable perspectives on cybersecurity, pentesting, and risk management.
How Do I Pentest My LLM? In the world of cybersecurity, AI is the perpetual topic du jour, and more specifically Generative AI. The use of LLMs for all kinds of use cases is the craze and the AI ecosystem continues to move at a rapid pace. When it comes to pentesting, the job of every tester is to keep up... READ ARTICLE
What FedRAMP’s New Vulnerability Management Standard Means for Pentesters and Vuln Managers Breaking Down the New RFC-0012 Standard Under FedRAMP and How It Can Change Your Daily Security Operations If you work in vulnerability management or penetration testing for cloud systems under FedRAMP, buckle up because the new RFC-0012: FedRAMP Continuous Vulnerability Management Standard is going to change how your work is scoped, tracked, and prioritized. The... READ ARTICLE
Beneath the Hat: My Black Hat 2025 Takeaways, Including the AI Imperative As I write this from the airport, the desert heat of Las Vegas is finally fading and I’m reflecting on the whirlwind that was Black Hat USA 2025. For me, this conference is always about two things: the people and the ideas. We hosted our annual Customer Appreciation Night and ran a Pentest Reporting Bootcamp,... READ ARTICLE